Organizations endeavor to protect their sensitive information from unauthorized access or use. Given the increased use of computer systems as a communication, delivery, and storage medium, organizations are constantly struggling to protect sensitive information related to those transactions. For example, banking organizations endeavor to prevent data breaches that could destabilize financial assets, ranging from mere merchant transactions to stock-market trading. Government entities likewise struggle to protect the unauthorized access of classified information systems, including tactical military records, social security databases, medical health reports, etc.
In some instances, departments within an organization may desire to limit or expand access rights to a sub-group of employees within that department. For example, a hospital may approve or deny different levels of access to a medical database based on the requestor's role as a nurse, accountant, or executive. On the other hand, the hospital may grant all access requests to that same database from requestors identified as physicians, regardless of their departmental affiliation.
Some organizations may require dynamic resource management. Specifically, in response to evolving business conditions or catastrophic acts of nature, these organizations must automatically reconfigure an employee's access privileges. Examples include permanently increasing a recently-promoted employee's access privileges or automatically increasing access privileges to all hospital employees during national emergencies. Alternatively, organizations may seek to automatically decrease employee access to particular resources based on inter-department transfers, employee resignation, or natural attrition.
Administering such dynamic and multi-tiered access control systems while fostering knowledge exchange among multiple branches of an organization requires tremendous efforts. Numerous variables must be considered, including the organization's risk tolerance, core business objectives, system stability, and employee roles and classifications. Indeed, many organizations fail to implement adequate access controls and instead provide their employees with unrestricted access to sensitive information based merely on their status as an employee of the organization. Such measures leave these organizations vulnerable to data breaches; particularly, the unauthorized access of sensitive data.
Conflicting organizational objectives compound the complexity of dynamic and multi-tiered access control systems. For example, organizations generally seek to promote collaborative efforts between departments, yet employ static access controls by restricting employee access to department-specific resources. This captures the classic organizational dilemma: fluid exchange of valuable information between departments versus the risks of its misuse. These considerations, among others, contribute to the difficulty in managing user access to resources and other information assets.
Traditional access control mechanisms lack the flexibility required to make adequate access control decisions that promptly respond to a changing organizational environment. Current access control decisions often adopt a static all-or-nothing approach, where an individual either has or lacks the privilege to access a resource. In addition, privilege revisions, if ever performed, may occur only sporadically, thereby exposing the organization to unnecessary risks. For example, employees of an organization may remain privileged to access sensitive information long after their departure or termination from that organization. Indeed, disgruntled employees frequently explore this vulnerability to access and expose embarrassing or confidential information. It is thus desirable to have a system for dynamically managing access to organizational resources, and to automatically modify access privileges within an organization's risk tolerance, based on a dynamic calculation of risk associated with each request to access resources.